diff options
author | Lukas Reschke <lukas@owncloud.com> | 2016-06-29 21:34:10 +0300 |
---|---|---|
committer | Lukas Reschke <lukas@owncloud.com> | 2016-06-29 21:34:10 +0300 |
commit | f7349588361457f61ce4877c9939ce1852bb7053 (patch) | |
tree | a217c3210106a3de493d233ac5161543bedbc421 /lib | |
parent | 487bf7616575aafc5057af1acf14a39da2545f26 (diff) |
Add possibility to enforce local user account
Fixes https://github.com/nextcloud/user_saml/issues/12
Fixes https://github.com/nextcloud/user_saml/issues/5
Diffstat (limited to 'lib')
-rw-r--r-- | lib/controller/samlcontroller.php | 18 | ||||
-rw-r--r-- | lib/controller/settingscontroller.php | 5 | ||||
-rw-r--r-- | lib/samlsettings.php | 1 | ||||
-rw-r--r-- | lib/userbackend.php | 54 |
4 files changed, 73 insertions, 5 deletions
diff --git a/lib/controller/samlcontroller.php b/lib/controller/samlcontroller.php index d7169177..68550434 100644 --- a/lib/controller/samlcontroller.php +++ b/lib/controller/samlcontroller.php @@ -108,6 +108,16 @@ class SAMLController extends Controller { exit(); } + // Check whether the user actually exists, if not redirect to an error page + // explaining the issue. + $uidMapping = \OC::$server->getConfig()->getAppValue('user_saml', 'general-uid_mapping', ''); + if(isset($auth->getAttributes()[$uidMapping])) { + $uid = $auth->getAttributes()[$uidMapping][0]; + $userExists = \OC::$server->getUserManager()->userExists($uid); + if(!$userExists) { + return new Http\RedirectResponse(\OC::$server->getURLGenerator()->linkToRouteAbsolute('user_saml.SAML.notProvisioned')); + } + } $this->session->set('user_saml.samlUserData', $auth->getAttributes()); $this->session->set('user_saml.samlNameId', $auth->getNameId()); @@ -135,4 +145,12 @@ class SAMLController extends Controller { $this->userSession->logout(); $auth->logout($returnTo, $parameters, $nameId, $sessionIndex); } + + /** + * @PublicPage + * @NoCSRFRequired + */ + public function notProvisioned() { + return new Http\TemplateResponse($this->appName, 'notProvisioned', [], 'guest'); + } } diff --git a/lib/controller/settingscontroller.php b/lib/controller/settingscontroller.php index 333f6f78..906b2046 100644 --- a/lib/controller/settingscontroller.php +++ b/lib/controller/settingscontroller.php @@ -80,7 +80,10 @@ class SettingsController extends Controller { 'type' => 'line', 'required' => true, ], - + 'require_provisioned_account' => [ + 'text' => $this->l10n->t('Only allow authentication if an account is existent on some other backend. (e.g. LDAP)'), + 'type' => 'checkbox', + ], ]; $params = [ diff --git a/lib/samlsettings.php b/lib/samlsettings.php index edd73751..9e4a0547 100644 --- a/lib/samlsettings.php +++ b/lib/samlsettings.php @@ -72,7 +72,6 @@ class SAMLSettings { ], ]; - $spx509cert = $this->config->getAppValue('user_saml', 'sp-x509cert', ''); $spxprivateKey = $this->config->getAppValue('user_saml', 'sp-privateKey', ''); if($spx509cert !== '') { diff --git a/lib/userbackend.php b/lib/userbackend.php index 7ef3b90e..987cae35 100644 --- a/lib/userbackend.php +++ b/lib/userbackend.php @@ -42,6 +42,8 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend { private $session; /** @var IDb */ private $db; + /** @var \OCP\UserInterface[] */ + private $backends; /** * @param IConfig $config @@ -72,7 +74,7 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend { * @since 4.5.0 */ public function implementsActions($actions) { - return (bool)((\OC_User_Backend::CHECK_PASSWORD | \OC_User_Backend::GET_DISPLAYNAME) + return (bool)((\OC_User_Backend::CHECK_PASSWORD) & $actions); } @@ -136,7 +138,15 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend { * @since 4.5.0 */ public function userExists($uid) { - return true; + if($backend = $this->getActualUserBackend($uid)) { + return $backend->userExists($uid); + } + + if($this->autoprovisionAllowed()) { + return true; + } else { + return false; + } } /** @@ -210,7 +220,10 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend { $uidMapping = $this->config->getAppValue('user_saml', 'general-uid_mapping', ''); if($uidMapping !== '' && isset($samlData[$uidMapping])) { - return $samlData[$uidMapping][0]; + $uid = $samlData[$uidMapping][0]; + if($this->userExists($uid)) { + return $uid; + } } return ''; @@ -226,4 +239,39 @@ class UserBackend implements IApacheBackend, UserInterface, IUserBackend { return 'user_saml'; } + /** + * Whether autoprovisioning is enabled or not + * + * @return bool + */ + private function autoprovisionAllowed() { + return $this->config->getAppValue('user_saml', 'general-require_provisioned_account', '0') === '0'; + } + + /** + * Gets the actual user backend of the user + * + * @param string $uid + * @return null|UserInterface + */ + public function getActualUserBackend($uid) { + foreach($this->backends as $backend) { + if($backend->userExists($uid)) { + return $backend; + } + } + + return null; + } + + /** + * Registers the used backends, used later to get the actual user backend + * of the user. + * + * @param \OCP\UserInterface[] $backends + */ + public function registerBackends(array $backends) { + $this->backends = $backends; + } + } |